Brenner, Cyberthreats
Susan Brenner, Cyberthreats: The Emerging Fault Lines of the Nation State (2009) Author Background: Distinguished Professor if Law and Technology at University of Dayton Check out her blog at http://cyb3rcrim3.blogspot.com/ Context. First glimmerings of cyberterrorism/cyberwarfare in Estonia, China, and the US Growth of cyberspace and the evolution of cybercrime into big business Scope. Classification of cyberthreats and their implication on law enforcement, military response, and the possible restructuring of our social, economic, and political world order. Thesis: 9 – if we identify activity as war, we use our war rules and strategies to deal with it; if we identify activity as crime, we use our crime rules and strategies to deal with it … this system breaks down when neither the nature of the activity nor the identity of those responsible is apparent. 229 – we can achieve an effective level of military-law enforcement integration at this stage and still maintain the institutional integrity of both entities … let military and law enforcement personnel share information about actual, or suspected attacks. Arguments: 6 -- ambiguity is a key feature of cyber attacks 8 -- control measures designed for the physical world have little in common with such measures in the cyber world 10 -- are civilians legitimate targets in cyber warfare? 10 – Real-world warfare is overt and destructive; cyberwarfare will be subtle and erosive. … In the United States, anyway, our law bars the military from participating in civilian law enforcement; we have an absolute, unbreachable partition between civil and military threat response strategies. … We must devise principles and strategies that are effective in this new threat environment. 14 -- The rules must also specify the rights, duties, and obligations associated with the status and relationships assigned to each member of the system. External order governs a system’s relationship with its environment. … Rules are an absolute necessity for the emergence of self-organizing systems, including human societies. Without rules to order activities and relationships, there is no “system” … rules modern human social systems devise … are almost exclusively territorially based 25 -- old laws aren’t up to dealing with cyber threats 46 -- computers could be a weapon of mass DISTRACTION by providing misinformation or disinformation that spreads chaos (like shouting fire in a crowded theater, writ large) 48 -- computers could be a weapon of mass DISRUPTION by destabilizing essential infrastructure items like power, mass transit, comm, banking, and health care that rely on computers (like setting a fire in a crowded theater, to extend the analogy – the computer causes systemic damage, not just psychological damage could spawn other kinds of damage) 54 – Defenders can no longer routinely assume that threats will be identifiable, singular, and sequential; they must also be able to respond to aggregated threats that can be labyrinthine in structure and discontinuous in occurrence. 69 -- in the real world, only nation states wage war – in the cyber world, anybody can 73 -- attribution of cyber attacks is hard – who did it, and what for? 81 – Historically, an attack originating from the territory of one nation-state, terminating on the sovereign territory of another nation-state, and targeting property owned and used by that nation-state has presumptively constituted an act of war. 82 -- even if we identified the attack as coming from another nation, it’s not like a physical attack – we’d be ready to strike back in most physical attack situations, but explotation (spying) is not as big a deal in the cyber domain 87 -- even if the attacker is from another nation, located in that nation, is it some random dude or a govt employee hired to attack? one way to distinguish between national and private actor is to note the precision and elegance of the attack, where a more precise and elegant attack is likely national, while 89 -- a private attack would be clumsy, crude, and loosely coordinated 90 -- of course, this means that nations could act clumsy, crude, and uncoordinated to conceal their actions as the actions of some dude 91 – We cannot conclusively determine either that the 2007 Estonian attacks (a) were not ''cyberwarfare or (b) ''were cyberwarfare. 96 – we rely on three markers—or indicia—in determining the nature of an attack: (a) point of attack origin, (b) point of attack occurrence, and © motive for the attack … profit drives most cybercrime, ideology drives cyberterrorism, and nation-state rivalries (will) drive cyberwarfare. The difficulty here arises … with our ability to ascertain the motive behind an attack. 97 -- when what is ostensibly cybercrime is state-sponsered--as is increasingly true of economic esponiage--the efficacy of the civilian law enforcement response process breaks down. 98 -- response to cyber acts is restricted by the notion that cops work inside the state and soldiers work outside the state 99 -- cyber warfare may not have a clear winner and loser 101 -- you might not even know you are at war (exploits) 105 -- treaties may limit cyber attack response to cyber means, vice Russia’s threatened nukes doesn’t mean if you lose you have to surrender – you can always escalate 108 – As far as cyberwarfare is concerned, anyway, we need to revise the current definition of warfare so it encompasses non-nation-state attacks on nation-states or their equivalent. 125 – Rigid adherence to the internal-external dichotomy blinds us to the reality that threats are morphing. … If nation-states can infiltrate the internal threat category, I see no reason why civilians, including civilian entities, cannot infiltrate the external threat category. 126 -- we need a more nuanced set of categories for the harm attacks in the cyber domain cause, to better enable a fitting response 164 -- US response authority is “scrupulously bifurcated” between military and police 180 -- posse Comitatus law preventing mil from doing cop work getting weakened by war on drugs and 9/11, but still mostly holds 180 – Under Article 48 of the Protocol Additional to the Geneva Conventions, warring countries must “at all times distinguish between the civilian population and combatants.” 182-3 -- the concept of national security as requiring not just readiness to defend against a threat from outside but a threat from inside weakens posse comitatus and bolsters mil-to-cop cooperation 187 -- civilians can’t do cop stuff – they’d be vigilantes 197 – As warfare becomes more sophisticated, and remote warfare becomes more common, the distinction between civilian noncombatants and civilian combatants continues to erode. 198 – No treaties specifically regulate computer network attack and exploitation (CNAE) … the law of war will have to be modernized so it incorporates the new realities of cyberwarfare. 215 -- professionalization of law enforcement and militias concentrated power at the nation-state’s center of govt 222 -- 'physical control of tangible artifacts of power (currency, police, arms, etc.) is easy for a nation-state to plan to do – it’s tougher to control less-tangible artifacts of power (laws, health care, media bias, etc.) – it’s toughest to control barely-tangible artifacts of power (religion, education, broadcasting)' 224 -- 'cyberspace puts a “virtual overlay over our physical reality ... which becomes an alternate, intangible forum for human endeavors and, in so doing, makes the heretofore fixed borders of territorial states permeable in a way they have never been”' 225 – Nation-state monopolies on the various artifacts of power are eroding. … As technology evolves in sophistication and pervasiveness, the impact of the virtual overlay cyberspace has given us will only become more profound. 226 – we need to develop new strategies to maintain order in the new world we confront … we could maintain the current governance structure … but improve the processes of responding to internal and external threats or devise a new governing configuration, one that is not predicated on and limited by territory 242 – Nation-state cyberwarfare … will deviate from our expectations by eroding, if not erasing, the noncombatant-combatant distinction that is a fundamental premise of the evolved, twentieth-century conception of warfare 266 – Our inhibitions decrease as our actions become … less directly attributable to us 293 – our goal is to implement nonterritorially based processes, we must design a system that integrates military and law enforcement functions into a single function: controlling threats emanating from cyberspace. … need to create a new institution—the Cyber Security Agency